Suspected North Korean Hackers Infiltrate Google Play With ‘KoSpy’ Spyware

A new wave of cyber-espionage appears to be unfolding on the Google Play Store as cybersecurity firm Lookout Mobile Security reports the discovery of a spyware campaign, dubbed “KoSpy,” that is suspected to be linked to North Korean hackers.

According to Lookout, KoSpy disguised itself as various utility apps on the platform. Masquerading under names such as “휴대폰 관리자” (Phone Manager), “File Manager,” “스마트 관리자” (Smart Manager), “카카오 보안” (Kakao Security), and “Software Update Utility,” the malicious apps were designed with basic interfaces that could either modify Android phone settings or simply display a dummy system window prompting users for device permissions.

Once installed, the spyware would quietly collect sensitive information from infected devices, including SMS messages, screenshots, and other personal data. The malware secretly communicates with a hacker-controlled server and then downloads various plugins intended to broaden its surveillance capabilities. It also has the flexibility to display messages in both Korean and English, further suggesting its targeted nature.

A Google spokesperson confirmed that the malware infiltrated the Google Play Store under the guise of an app titled “File Manager – Android.” Although this particular version reportedly attracted only about 10 downloads, the incident underscores the persistent risk posed by sophisticated phishing and malware distribution techniques. “Before any user installations, the latest malware sample discovered in March 2024 was removed from Google Play. Google Play Protect automatically safeguards Android devices with Google Play Services, even if apps are sideloaded from outside sources,” the spokesperson stated.

Lookout Mobile Security has expressed “medium confidence” that the spyware is linked to North Korean hacking groups, including APT37—also known as ScarCruft—and APT43. One of the key factors in this attribution is that one of the domains contacted by KoSpy resolves to an IP address in South Korea, historically associated with North Korean cyber activities. However, due to overlapping infrastructure and similar tactics among these groups, pinpointing a single actor remains challenging.

While KoSpy has been traced back to at least March 2022, the most recent sample was collected in March 2024. Although the command and control servers for the spyware have now been rendered inactive—suggesting that the malware may have been retired—the incident raises concerns about how advanced cyber-espionage tools can slip through platform defenses and target unsuspecting users.

The incident serves as a reminder for both users and developers to remain vigilant. Regularly updating devices, scrutinizing app permissions, and downloading apps only from verified sources are critical steps in reducing the risk of falling victim to such targeted malware campaigns.

Photo Credit: DepositPhotos.com